thr3ads.net - freebsd security - ntpd vulnerabilities [Dec 2014]

If this information is useful, please help other people find it:
Share via:

Steve Clement

2014-Dec-22 10:25 UTC

ntpd vulnerabilities

Chances are good it is vulnerable:

https://svnweb.freebsd.org/base/release/10.0.0/contrib/ntp/ntpd/ntpd.c?view=log
<https://svnweb.freebsd.org/base/release/10.0.0/contrib/ntp/ntpd/ntpd.c?view=log>
https://svnweb.freebsd.org/base/release/10.1.0/contrib/ntp/ntpd/ntpd.c?view=log
<https://svnweb.freebsd.org/base/release/10.1.0/contrib/ntp/ntpd/ntpd.c?view=log>

Regarding the diff:

 diff -ru ntp-dev-4.2.7p486-RC ntp-4.2.8 |wc -l
    7723

Cherry picking the patches is easier.

ntpd source trees:

http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-dev/
<http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-dev/>
http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/
<http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/>

Luckily that is still up? atm ntp.org is down.

Here is the cached version of the notice:
http://webcache.googleusercontent.com/search?q=cache:support.ntp.org/bin/view/Main/SecurityNotice

--
Steve Clement
https://www.twitter.com/SteveClement
mailto:steve at localhost.lu
.lu: +352 20 333 55 65
> On 22 Dec 2014, at 11:06, Steve Clement <steve at localhost.lu>
wrote:
> 
> If someone could share a diff between ntpd 4.2.7 and 4.2.8 would be a good
start.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL:
<http://lists.freebsd.org/pipermail/freebsd-security/attachments/20141222/c8837bfe/attachment.sig>

Brett Glass

2014-Dec-22 17:39 UTC

head link

ntpd vulnerabilities

I'd like to propose that FreeBSD move to OpenNTPD, which appears to 
have none of the
fixed or unfixed (!) vulnerabilities that are present in ntpd. 
There's already a port.

--Brett Glass

At 03:25 AM 12/22/2014, Steve Clement wrote:
>Chances are good it is vulnerable:
>
>https://svnweb.freebsd.org/base/release/10.0.0/contrib/ntp/ntpd/ntpd.c?view=log
><https://svnweb.freebsd.org/base/release/10.0.0/contrib/ntp/ntpd/ntpd.c?view=log>
>https://svnweb.freebsd.org/base/release/10.1.0/contrib/ntp/ntpd/ntpd.c?view=log
><https://svnweb.freebsd.org/base/release/10.1.0/contrib/ntp/ntpd/ntpd.c?view=log>
>
>Regarding the diff:
>
>  diff -ru ntp-dev-4.2.7p486-RC ntp-4.2.8 |wc -l
>     7723
>
>Cherry picking the patches is easier.
>
>ntpd source trees:
>
>http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-dev/ 
><http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-dev/>
>http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ 
><http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/>
>
>Luckily that is still up
 atm ntp.org is down.>Here is the cached version of the notice: 
>http://webcache.googleusercontent.com/search?q=cache:support.ntp.org/bin/view/Main/SecurityNotice
>
>--
>Steve Clement
>https://www.twitter.com/SteveClement
>mailto:steve at localhost.lu
>.lu: +352 20 333 55 65
>
> > On 22 Dec 2014, at 11:06, Steve Clement <steve at localhost.lu>
wrote:
> >
> > If someone could share a diff between ntpd 4.2.7 and 4.2.8 
> would be a good start.
>

freebsd security - Dec 2014 - ntpd vulnerabilities

ntpd vulnerabilities

ntpd vulnerabilities